Skip to main content

CPM

CyberArk AAM Integration - Password Retrieval

Applicable versions: CPM 4.7.1

General Information

AAM Integration Template:

With this integration, the Celonis end-user does not have to enter sensitive database credentials into the configuration files or the frontend of the application anymore.

Please find the step-by-step description for the technical setup in the AAM Integration Template. The technical preparation of Celonis 4 is also described in more detail in the Operation Guide.

Note: Requires an active and licensed CyberArk Privileged Access Security Solution.

Prerequisites

  1. The javapasswordsdk.jar runtime library supplied by CyberArk has been placed in the <installDir>/lib folder in the Celonis 4 installation directory.

  2. The CyberArk Credential Provider Agent (aimprv service on Linux, CyberArk Application Password Provider Service on Windows) is running on the same instance as the Celonis service.

Password retrieval - configuration files

After connecting Celonis to CyberArk, the Java Properties of every custom *.properties file inside the Celonis installation directory can be configured for retrieval via CyberArk.

The properties to be retrieved via CyberArk need to have the following format:

<<property.name>>=cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>>

With:

< <property.name>>

Java Property name to be retrieved. For example database.password.

cyberark-sdk:

Mandatory prefix for the use of CyberArk (colon included)

<<LIST_OF_OBJECT_ARGUMENTS>>

URL-encoded string of CyberArk object request arguments (e.g. AppID, Safe, Object, Reason) in a URL query format. Properties are separated by “&”. Property name and value are separated by “=”.

Example:

database.password=cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration

Notes:

  • appid, safe, object and reason are typical CyberArk request arguments. This example could be extended according to all single String setter names (e.g. setPolicyID(String) -> policyid, setFolder(String) -> folder, ...) that are supported by the CyberArk Java SDK. Please follow the PSDKPasswordRequest java class documentation for all supported arguments.

  • The request arguments are case-insensitive

  • As <<LIST_OF_OBJECT_ARGUMENTS>> is a URL-encoded string, one could leverage the usage by URL-encoding the values. For example the request with reason="Some reason” and extended chars: []{}\\/ [陰]{陽}" could look like this:

database.password=cyberark-sdk:appid=testappid&safe=test&object=cpm4&reason= %22Some%20weird%20quoted%20reasn'%20with%20extended%20chars%3A%20%5B%5D%7B%7D%2F%2C%20and%20chinese%20hieroglyphs%20%5B%E9%99%B0%5D%7B%E9%99%BD%7D%22
Password retrieval - frontend

The frontend configuration follows the same rules & notesas the configuration of the properties. Retrieving the passwords requires the following format:

cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>>

Example:

cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration
Applicable passwords in the frontend
Database connections

The "password" to connect to a database from within a Data Model.

47480876.png
Source configurations

  • LDAP password” in System Settings → Source Configurations → LDAP Sources

  • Database password” in System Settings → Source Configurations → Database Sources:

47480877.png
SMTP Server configuration

SMTP Server Password in System Settings → Mail

47480878.png